Password Security

Posted on 2003-03-21
Medium Priority
Last Modified: 2010-03-05
I have a reasonably well encripted login page (java applet) but I'm not sure how to protect the target page / frameset from being bookmarked and then called direct bypassing the login page. Is there a javascript which I can place in the target frameset which will automatically divert surfers to the login page if it hasn't been called from there.

Every site I've visited seems to be able to do this so I'm probably asking a stupid question.


Question by:bren2310
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

CyberGhost earned 500 total points
ID: 8179971
This simple question needs maybe a little difficult answer.

First, if I have understood your question, you have in major 2 pages. First is that login (login.html or so) and second is where are users redirected when they entered correct username/password.

So you have to do one of the following:

1. you can use COOKIES to determine if user is logged or not (cookie is set if he is and not if he's not). This solution is although a little unsecure. This is because not all browsers support cookies and a lot of them (especially somewhere in public places) have cookies disabled dues to security reasons.

2. you can use database to write current user's IP and determine if request comes from that IP. If it came, then the user is logged in. If not, just display the login page. This is also not 100% acceptable for developers because IP can be dynamically changed by provider (especially if user is connected via phone).

3. you can set random SESSION ID for each logged user, which you can write to DB instead of IP. This can be deleted if user is inactive 30 minutes or so or if he/she click the LOGOUT link. This is simmilar to point 2. Only change is SESSION ID instead of IP which can change.

... if some1 know another solution, we will be gratefull to recieve it. Because all of these solutions are valid but a little unconfortable.


... as far as I know there is no JavaScript to disable booking or viewing contents of any site. I can't program in Java and don't know if it support (or can work with) cookies. Instead of Java you can also use PHP or something like that.

Assisted Solution

PaulBobby earned 500 total points
ID: 8185288
You store the cookie on the target's computer.

Whenever someone connects to any of your pages, call that cookie. That cookie contains the username/password/whatever.

If that username/password/whatever equals 'logged in' (read from your database) then allow them direct access to that page.

Otherwise deny and redirect.

If the user cannot store cookies, then everytime they visit your website, they will be redirected.

Unless you explicity provide a server-side storage functionality, people are pretty much used to having to store some sort of cookie to get access back to your server.

Expert Comment

ID: 8192168
u need to include protection on every page you dont want accessed, not just the gateway to the page you want to hide - from what you are saying - if i know the location of the "protected pages" i can just go into my browser and tye "www.somefin/page/location.htm" and i'll be there without password prompt, yes/no?

depending on your server type i think easiest form of access control would be using simple authentication with either auth-rules or htaccess files.. if you are using a programming language for dynamic content cookes/sessions is an option...
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!


Expert Comment

ID: 8194238
That's another problem. You have to determine if user is logged in or not. Maybe you could use INCLUDE to include one site if user's logged or include another one if he isn't.

Also you can use browser authorization (Basic is the most used). You don't have cookies accepted if you use it, although you have to determine if this authorization is set or not.

I think this problem will Java not handle. Try PHP. It's fast and easy.


Expert Comment

ID: 8197204
It's fairly standard for Single Sign-on systems to use an encrypted cookie. Once decrypted, the cookie will reveal the user's identity, and some sort of expiry time. When the user connects, the web server reads the headers, and if the cookie doesn't exist, or has expired, the user is redirected to a login page. (On a Microsoft web server, this would be done with an ISAPI filter - presumably other web servers support similar APIs.) As far as HTTP is concerned, the connections are anonymous.

Assisted Solution

MCSE-2002 earned 500 total points
ID: 8214128
if you are using IIS and ASP, then just create a protected.asp page, and include it it the top of every page you want protected.

--------- begin code
if Request.cookies("Superuser").HasKeys then
username = request.Cookies("Superuser")("username")
  if lcase(username) = "daBoss"  then
    'do nothing, they are ok
  end if
  'no cookie, buh bye
end if
--------end code

If they do not have the key, they are redirected to the login page. This is pretty simple, (an example), but you get the idea.

You can set the cookie on another page by using

response.cookies("Superuser")("username") = "daBoss"
response.cookies("Superuser").Expires = Date + 10

this makes the cookie good for 10 days.

Good Luck!

Expert Comment

ID: 8229369
If you are hosting your site using apache web server, you can turn on follow symbolic links for the directory contains html file. As i know with this setting of a directory you cannot access a file by directly entering the address of the file. Then you can direct your client from your login page...

Author Comment

ID: 8229918
Thank you for all your responses so far. My problem is that whilst I know what I'm doing with javascript & html using perl or asp or whatever is something I'm not familiar with and am having to learn as I go along.

In response to GtG - those hosting the site do use the apache web server. Unfortunately I am using front page for most of the site and need the front page extensions installed. This effectively makes using the apache web server security options a non-starter.  

Do you / does anyone know how to make use of Front Page's ability to set up sub webs which provide similar protection.

Brendan (bren2310)

Assisted Solution

CompCode earned 500 total points
ID: 8352494
If your web server provider allows you to create a private directory not accessible directly from the web server which contains the website (as in, no virtual directory points to it), then you could put a CGI script in a directory accessible by the web server that asks for basic authentication.  If the username and password matches a predefined pair (such as in a database), set a cookie, read in the default file from the private directory, and send it to the user.  All subsequent file requests would be sent through the CGI script, the CGI script will check for a valid cookie, and once the cookie has been validated, read the specified file from the private directory and send it to the user.  This way, the only way the public can access the files in the private directory is through basic authentication and cookies given to the public CGI script.

Expert Comment

ID: 8352516
As a side note to my comment, the nice thing about that setup is that even if the client doesn't support cookies, they can at least view files in the private directory as long as the web browser stays open, as it re-submits the basic authentication information when required for the private files.  When the browser is closed, if the user wants to access the private files again, they have to re-enter the authentication information, or, if they have a cookie set with the authentication information, the cookie can bypass the need for the basic authentication.  If you searched google for keywords such as "basic authentication http 401 www-authenticate", and the CGI scripting language you're using, you could probably find some good examples.  

This is how I personally protect a web site not meant for the general public.

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question